1. Field of the Invention
The present invention relates to security in a distributed network. More specifically, the invention relates to authenticating a personal identification number (PIN) in a distributed network without sending the PIN over the network
Portions of the disclosure of this patent document contain material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Tradermark Office file or records, but otherwise reserves all copyright tights whatsoever.
2. Background Art
When logging in to a distributed network of computing devices, it is typical for a security measure to be in place which insures the identity of the individual logging in. One manner where this occurs is on a system that uses a smart card. The user inserts the card into a card reading device attached to the computing system and enters a personal identification number (PIN) onto a keyboard or other input device of the computing system. If the PIN number is authenticated then the user logs in and begins using the distributed network.
As will be further explained below, the manner in which the PIN number is currently authenticated is vulnerable to snooping attacks from untrusted third parties that might use the PIN to compromise the network. Before further describing the problems associated with current techniques which authenticate PINs, an example computing environment where this problem occurs is described below.
Multi-Tier Application Architecture
In the multi-tier application architecture, a client communicates requests to a server for data, software and services, for example, and the server responds to the requests. The server's response may entail communication with a database management system for the storage and retrieval of data. The multi-tier architecture includes at least a database tier that includes a database server, an application tier that includes an application server and application logic (i.e., software application programs, functions, etc.), and a client tier. The application server responds to application requests received from the client. The application server forwards data requests to the database server.
FIG. 1 provides an overview of a multi-tier architecture. Client tier 100 typically consists of a computer system that provides a graphic user interface (GUI) generated by a client 110, such as a browser or other user interface application. Conventional browsers include Internet Explorer and Netscape Navigator, among others. Client 110 generates a display from for example, a specification of GUI elements (e.g., a file containing input, form, and text elements defined using the Hypertext Markup Language (HTML)) and/or from an applet (i.e., a program such as a program written using the Java™ programming language, or other platform independent programming language, that runs when it is loaded by the browser).
Further application functionality is provided by application logic managed by application server 120 in application tier 130. The apportionment of application functionality between client tier 100 and application tier 130 is dependent upon whether a “thin client” or “thick client” topology is desired. In a thin client topology, the client tier (i.e., the end user's computer) is used primarily to display output and obtain input, while the computing takes place in other tiers. A thick client topology, on the other hand, uses a more conventional general purpose computer having processing, memory, and data storage abilities. Database tier 140 contains the data that is accessed by the application logic in application tier 130. Database server 150 manages the data, its structure and the operations that can be performed on the data and/or its structure.
Application server 120 can include applications such as a corporation's scheduling, accounting, personnel and payroll applications, for example. Application server 120 manages requests for the applications that are stored therein. Application server 120 can also manage the storage and dissemination of production versions of application logic. Database server 150 manages the database(s) that manage data for applications. Database server 150 responds to requests to access the scheduling, accounting, personnel and payroll applications' data, for example.
Connection 160 is used to transmit data between client tier 100 and application tier 130, and may also be used to transfer the application logic to client tier 100. The client tier can communicate with the application tier via, for example, a Remote Method Invocator (RMI) application programming interface (API) available from Sun Microsystems™. The RMI API provides the ability to invoke methods, or software modules, that reside on another computer system. Parameters are packaged and unpackaged for transmittal to and from the client tier. Connection 170 between application server 120 and database server 150 represents the transmission of requests for data and the responses to such requests from applications that reside in application server 120.
Elements of the client tier, application tier and database tier (e.g., client 110, application server 120 and database server 150) may execute within a single computer. However, in a typical system, elements of the client tier, application tier and database tier may execute within separate computers interconnected over a network such as a LAN (local area network) or WAN (wide area network).
Security Measures
Smart cards are used in environments like the multi-tier application architecture as a security measure to insure the identity of the user when he/she logs into a computing device on the client tier. Once identified, data on the database tier and applications on the application tier may be used. One advantage associated with using a smart card or other identification technique is that no matter where the computing device is located on the client tier, the same data and applications that the user needs, or was using before his/her last log-off, can be retrieved.
Smart cards are useful for securely storing secret information and embedding cryptographic algorithms for use in a cryptographic system. In many cases, the smart card requires the presentation of a secret that only the cardholder knows. Sometimes this secret is contained in a PIN number. Since the smart card itself has no mechanism for interacting with a human being (i.e., no keyboard or display), it requires the system it is being used with to provide the human I/O facilities to prompt the cardholder for a PIN and to accept the cardholder's input of the PIN, typically on a keyboard or other suitable input device.
As the PIN is being entered on the keyboard, it is vulnerable to a snooping attack where an untrusted third party might be able to access the PIN and compromise it. In the case where the smart card is coupled to a client computer system, the keyboard typically sends keyboard codes across an unencrypted network link to a server. The server, in turn, returns the keyboard codes to the client for presentation to the smart card. In this scenario, the keyboard codes are vulnerable to an interception attack at two points—on their way from the client to the server and on their way back from the server to the client. Moreover, since the keyboard codes of the PIN are resident on the server, at least for the time required to send those codes back to the client system, the PIN is vulnerable to a snooping attack while it is on the server.
One solution is to provide a smart card reader with a built in key pad used to enter the PIN. This avoids the danger of snooping that might occur when the PIN is authenticated via a server on the distributed network. This solution, however, is disadvantageous because it requires expensive and dedicated hardware to authenticate the PIN.